“Orignal post from https://blogs.vmware.com/euc/2020/04/business-continuity-vdi-versus-vpn.html“
Due to the restrictions businesses have implemented in response to recent unprecedented events, the majority of the world’s office workers are now working from home, and IT departments are scrambling to figure out how to support the massive increase in home workers. (Shawn Bass and I wrote a blog post a few weeks ago with planning suggestions and first steps you can take.)
One of the questions that’s come up repeatedly is, “In this business continuity scenario where everyone is trying to work from home, what’s better: VDI or VPN?” Unfortunately, the answer is complex and depends on several things. In this blog post, I’ll explore these options to help you make your choice.
What is does “VDI versus VPN” even mean?
Most office workers today use Windows-based computers for their jobs, whether those are desktop computers at a work location, laptops (which can be used in the office, at home or on the road), or remote/virtual desktops (either VDI or RDSH) where the user’s Windows desktop runs as a virtual machine in a datacenter somewhere (either on premises or in the cloud). The question of “VDI versus VPN” really means, “When my users work from home, should I provide a remote virtual desktop they can access from any type of device in their home? (VDI) Or, should I get them a laptop which runs everything locally on it and then have them connect back to the office through the VPN to access their files, apps, etc.? (VPN)”
Before we can even answer which one is “better”, or which option you “should” do, think about how you define what “better” is.
For example, do you define the better solution as the one that is…
- Fastest to deploy?
- Easiest to deploy?
- Cheapest to deploy?
- Best user experience?
- Will work for the most users?
- Provides the best security?
By the way you don’t get to say “yes” to all of these. It’s like that old business adage: “Fast, cheap, and easy: you can only have two of the three.”
It’s also impossible to go down that list and just say VDI or VPN is more appropriate for each since the answer for each could be VDI or VPN depending on your specific situation. In order to think about which makes more sense for you, think about the following questions:
- What applications do you need to support? Are these all web apps, or Windows apps?
- Is everything on-premises, or do you have cloud or SaaS apps?
- Do you already have experience with VDI, and have you already done that engineering? Is there an already-running VDI environment you can expand?
- Do you already have experience managing remote Windows laptops (outside the firewall), and have you already done that engineering?
- Do your users already have laptops they will be taking home, or will they need to find new devices? (If new, will you be providing them or are the users on their own?)
- How do you manage laptops today? Legacy SCCM, AD, and GPOs? Or with a modern, cloud-based, real-time unified endpoint management platform?
- Do you already have a VPN? Do you have enough licenses for all your remote users?
- Do you have enough bandwidth for your remote users? Have you thought about how your bandwidth needs will change? (e.g. if VDI was only internal, but will now be used for home workers, can you support all that increase in corporate internet traffic?)
- Are there “easy” things you can do to free up corporate internet bandwidth? (e.g. Enable split tunneling for VPN users.)
- Do your “other” infrastructure components work better for one option over the other? (e.g. legacy file shares are easy for VDI but hard for home computers, and modern things like Dropbox or One Drive are easy for home computers but hard for VDI.)
- Are there any regulatory requirements dictating certain technology decisions? (e.g. some regulation that says no customer data can be stored locally on a device, etc.)
You may find that you end up with a mix of both. There might be some users or locations where the VDI route makes more sense, and others where the VPN option should win out.
Using VDI for remote workers
First, the phrase “VDI” has traditionally described a scenario where a user remotely accesses a Windows 10-based desktop running as a VM on a server in your datacenter. However, for the purposes of this conversation, we should broaden our definition of VDI to include any scenario where a user connects to a Windows desktop from some random client device. So, in addition to traditional VDI, this could also mean multi-session RDSH hosted desktops, or it could be VDI or RDSH technologies running in the cloud that you pay for as a service (DaaS, Microsoft WVD, etc.).
The VDI family of technologies have several attractive characteristics (note that whole books have been written on this, so I’m just selectively highlighting a few that are most relevant):
- It doesn’t matter what type of device the user has at home. It can be a modern Windows computer, a ten-year-old tower they found in their basement, an iPad, their kid’s Chromebook, an old MacBook, etc. “Push it/pull it/drag it/tow it! We can make it work!”
- Getting connected to a VDI desktop does not require any “IT” expertise at the user’s house. Just point them to a web page and have them log in, and they can access their full Windows corporate desktop in minutes.
- “Built-in” security, since all applications and data stay back on the servers in the office or the cloud, so you don’t have to worry about what might be saved on a user’s home device, which means you don’t have to worry about it being lost, stolen, etc.
VDI has some drawbacks, too:
- Engineering and building a VDI environment is complex. If you don’t currently have VDI, you’ll need to get the right experts in to help design and build it, and that might take too long given work from home restrictions.
- Your home users will require decent internet connections to be able to work. An internet outage or slowdown essentially means that you’ve just taken your users’ computers away from them. Good luck with them working now.
- VDI requires more bandwidth and server horsepower for larger displays & multiple monitors. Users who normally work like this might have a worse experience through VDI. (There are stories in the news now of financial traders trying to work from home with a single display versus the office where they have 8!)
- Not all applications work well via the remote connection of the VDI desktop. Audio/video conferencing apps are notoriously challenging for VDI, and ironically those are the types of apps which are used most by employees working from home (though tech-savvy users can manually join meetings from their iPhones or iPads and not through their Windows VDI desktops).
- If you already have VDI which you use from your office (yay!), and then you think, “Cool, I will just use this for the home users now,” you might run into bandwidth limitations with your corporate office’s internet connection.
- VDI can be expensive because you need all the server hardware to run all your users’ desktops. So, if you have already bought laptops for your users, but then they use those laptops to access VDI, it’s like you’re paying for each desktop twice.
Using a VPN for remote workers
The “VPN” option essentially means your users use regular laptops at home, and the apps they use are installed locally on those laptops. Then for things they need from the office (file shares, corporate systems and databases, etc.) they connect to the VPN to get on the corporate network from home.
Again, there are a lot of attractive aspects to this, including:
- If your users already have corporate laptops, you essentially don’t have to “do” anything. Just tell your users to take their laptops home and start working.
- This option does not require a lot of back end setup or purchases (e.g. you don’t need expensive VDI servers or to pay $30+ per month per user for DaaS). All the “work” is being done on the laptops.
There are some downsides to the VPN option too:
- Since all your applications will run locally on a laptop in a user’s house, you need to figure out how to get those applications installed and how you’ll keep them up to date.
- What if the user’s laptop is too old and can’t run all your applications? What if it’s a Mac?
- Any data or files the user works with will be copied locally onto their computer at their house. Are you okay with this?
- A VPN puts the user’s laptop on the corporate network, even if they’re at home. What does this mean for things like Patch Tuesday, where you might have your own software distribution infrastructure (WSUS, distribution servers, BranchCache, P2P, etc.)? Will your VPN and corporate internet pipe be able to handle all the patches going through the corporate network to your users? Will users not on the VPN even get the updates?
- For users who don’t have corporate laptops, it can be very challenging to get a brand-new laptop up and running with everything installed and configured when the user is 100% at home and the laptop never came into the office.
- If you need to get new laptops for your users, will your existing Windows image work with them? How much time and effort will be required? And what if all your users end up with different makes and models? Will you ever be able to get everything installed and running on them remotely?
- Most VPN software performs security checks before allowing the user to connect to the VPN. For example, these checks might ensure the device is up to date with patches, antivirus, etc. If everyone working from home slows down the update and patching process, are you able to lower your security standard to let lagging machines onto the VPN?
That said, these VPN advantages and disadvantages have several asterisks and footnotes.
For example, the statement it’s hard to configure a new laptop remotely is only true if you’re using legacy PCLM tools (Microsoft SCCM, GPOs, on-prem AD, VPNs, etc.). If you have a modern management platform (VMware Workspace ONE, etc.), you can leverage the modern, cloud-based capabilities of Windows 10 to allow users to easily self-enroll their laptops—even random, new ones bought at local stores by the users—and the laptops automatically download, update, secure and configure themselves, and keep themselves up-to-date, all via the cloud.
This is awesome! But it requires that you’ve already done the engineering and setup work to facilitate this. So, if you’re in the process of migrating—or you’ve already migrated—your physical Windows 10 PC management to Workspace ONE UEM, then you can use that, and you’re all set.
But if you still have SCCM and nothing modern, then there’s really no way you can use what you have to onboard random computers in peoples’ homes. (Some customers are setting up new SaaS-based Workspace ONE UEM environments now, which they’re using to onboard new remote Windows 10 and Mac laptops, while keeping the old SCCM environment in place for all their existing laptops that use it for management.)
What about users who don’t have computers at home?
Many office workers don’t have corporate laptops, so if those workers need to work from home, you have to think about what options they have:
- You buy them a device and ship it to their house.
- You tell them to use whatever random computer they already have.
- You tell them to go to Amazon, Walmart, etc. and buy a new laptop.
- You tell them to just use their phone or tablet.
So, what’s the call?
The biggest argument for whether to go VDI versus VPN, to me, is, “Which technology option are you the most comfortable with? Where have you spent the most engineering effort?”
Both a VDI desktop and a physical laptop require lots of engineering to get them to work. With VDI, you have to think about the servers, IOPS, disk images, application layering, printing, user profiles, login times, number of monitors, GPUs, pixels and bandwidth, client updates, etc. Whole books are written on this and people (like me!) dedicate decades of their lives to understanding it all.
But the same is true for Windows laptops which would connect via the VPN option. Desktop architects spend months or years designing the image, thinking about how applications are installed and configured, setting up all the security tools, disk encryption, monitoring, software patches and updated, VPN tunnels, and many other things.
So, my short answer would be, “You should go with whatever you’re the most comfortable with.” If you’ve never done VDI before, unless you can find a great consulting partner, it wouldn’t be easy to recommend jumping into VDI in a sort of emergency way.
The same is true for VPNs and laptops. If your only experience managing Windows devices is based on ones that are in your office, then managing remote laptops out in the world is going to be pretty stressful given the challenges created by quarantine.